[kwlug-disc] Generating and using PGP keys
cdfrey at foursquare.net
Thu Feb 19 20:44:11 EST 2009
On Thu, Feb 19, 2009 at 08:31:33PM -0500, unsolicited wrote:
> Paul Nijjar wrote, On 02/19/2009 8:07 PM:
> >And for those of us who use webmail from public computers
> >exclusively, it means we don't use GPG at all.
> Does Chris' note of FireGPG for Firefox help you here at all?
Only if you trust the machine FireGPG is running on.
And an internet cafe computer, which for some is their only computer,
is not trustable.
> I thought many (?) people kept their keys on their USB key, which they
> keep with them at all times. Is this not good practice / does it not
> work for you?
In my opinion, you want to have your private key in as few places as
possible. Carrying it on a USB key doesn't really help you, because
you have no way of using it. You could plug it into my computer and use
a guest account to send your emails, but you have no idea if I have a
keystroke logger installed while copying your USB data in the background.
A better solution would be to carry your own netbook around, which contains
your private key, and provides you with a trusted computer with which
to use it.
> - which brings up a good question: what do you do when you lose your
> USB key? (If I understand Chris' comments correctly, a smart thing to
> do is to get your primary key, and immediately generate another key,
> and you keep the intermediate on the USB. Then if you lose it, you
> 'cancel' that key, and re-generate from your primary. Or something
> like that.)
This might work for a signing-only key. Once you revoke your compromised
key, people would know not to trust documents signed with the it. There
would be a window of delay where people might trust bad documents, but
none of your secrets would be lost.
But if you lose your encryption key, then all that email you thought
was private is now potentially "public". You can't revoke what is already
in the attacker's hands.
More information about the kwlug-disc_kwlug.org